Service Provider Blocks Tor to Silent Circle Claiming Security Threat

Service Provider Blocks Tor to Silent Circle Claiming Security Threat
January 21 2015

The Claim:

"Tor exist nodes are routinely used as methods by Threat Actors to exfiltrate data from compromised endpoints. As an example, the Financial Sector has seen significant issues from them.“ FireHost

The Issues:

• Bad guys use it; let’s treat everybody as bad guys
• Breaking functionality without considering overall picture
• Alternatives:  Filter outgoing connections?
• Incident handling best practices

The Story:

In December 2014, members of our network security team (including the two authors), learned that those attempting to access the website of a secure communications provider (Silent Circle) over Tor were no longer able to do so.

Up to that time we had been recommending use of Tor and Silent Circle's phone and texting services to biomedical research whistleblowers, fraud investigators, and attorneys with whom we attempt to work in a confidential manner. (However, we do not work for or represent Silent Circle, nor is Silent Circle the focus of this post.)

Instead, we were concerned by the loss of Tor access to Silent Circle because the rejection of Tor by web service providers was not unique in our experience. (For example, see comments about SwissMail, below.)

Here, we pursue what happened in the particular case of blockage of Tor access by Silent Circle's web service provider, FireHost.

Silent Circle was contacted by us in December 2014 to inform them of this development. They confirmed our observations, and told us that their web service provider, FireHost, no longer allowed access to their servers via Tor. Silent Circle's technical support also told us with respect to their views of Tor, "Definitely, it is important".

It was noted to Silent Circle that as a provider of a product that in part may help provide more confidentiality, and not merely end-to-end encryption, a requirement that users' IP addresses could be used to identify those logging in to the Silent Circle site could be seen as a step back from what the product had originally offered.

Silent Circle itself know the identity of the primary account holder from his or her payment information. Silent Circle could also know the phone identity information for any user, including those who were given Ronin codes. Such codes can be purchased and provided to another person in order for an account to be setup without entering any personal information (other than any information provided by the Ronin code user's phone).

Therefore, as is usual with such network security products, a user must have some faith in the integrity of the provider. To make themselves less susceptible to pressure for user information, Silent Circle, like many similar companies today, retains very limited logs of calls and texts.

Unfortunately, with the loss of Tor access to their site, users now must trust not only Silent Circle, which has made representations regarding its integrity, but also Silent Circle's service provider and their logs, which have not done so.

In other words, if the service provider can independently provide identifying information about Silent Circle users, then Silent Circle's representations to protect such information could be circumvented.

Silent Circle agreed to inquire with their provider, FireHost of Dallas, Phoenix, and London, as to why Firehost was now blocking Tor. The following response from FireHost was provided to us by Silent Circle on January 21, 2015:

"Tor exit nodes are routinely used as methods by Threat Actors to exfiltrate data from compromised endpoints. As an example, the Financial Sector has seen significant issues from them.

Overall, permitting their connectivity is seen as a High Severity Security Risk to an organization much like enabling Peer to Peer applications within a corporate environment.

For these reasons we have taken the stance to block TOR exit nodes across our cloud.

Hope this helps, if there are no further questions, I'll go ahead and set this ticket to resolved. If you'd like to have a more detailed conversation, I can line up the CSO to jump on a call with us to discuss TOR Exit Node issues in more depth. -Wayne"

FireHost would not comment further to us directly (January 21, 2015) citing that we were not their clients. However, as we argued above, the changes FireHost put in effect could make Silent Circle customer identity information subject to FireHost's privacy policies.

Some general issues

Many people are concerned that there might be pressure on web service providers by governmental entities (FireHost is located in the U.S. and U.K.) to block Tor, especially in response to highly publicized network attacks and thefts (which have seemed very high profile in the past year).

While a number of  authors have written about the downsides of applying such pressure on service providers, here we want to address a potentially mistaken belief by some web providers that they are significantly enhancing security by blocking Tor. (Aside from FireHost, for example, Swissmail also blocks login attempts over Tor, and they also claimed to be doing so as a defense against inappropriate web contacts.)

One problem with such arguments is that they imply that only through direct use of Tor could attackers access servers in a more anonymous way. We'll be posting on alternate attacks routes that achieve similar ends. Here we'll just note that among the various anonymizing options available to potential attackers would be to have an intermediate link of the attack route travel over Tor.

Furthermore, the underlying implication of such arguments is that Tor is a foolproof method for criminals to evade investigation. However, many events have suggested that this is not the case, particularly when the investigating authority is quite powerful. In particular, the ability of entities to correlate traffic and take other actions such as targeting servers, as long noted by Tor itself, can make a significant difference in its ability to break anonymity.

Therefore, we believe that Tor is a significant enhancer of security for user identities, rather than some perfect protection. As with locks, there are gradations of security, and probably none are completely secure against a very powerful adversary, especially not if that adversary targets a particular "anonymous" user.

We believe it is unfortunate that there are organizations that prefer to break a technology’s functionality because a small group of people has decided to use that technology for illegal purposes, without evaluating how their actions will affect a larger group of people that actually are using the technology for its intended purpose - which in the case of TOR is maintaining freedom of speech. Anonymity is not a bad thing by itself, it is required in several situations where keeping the true identity of a person is a necessity in his or her job (law enforcement) or even more is critical for their survival (for example, exposing information from repressive regimes).

FireHost specifically cited the use of Tor in exfiltration attacks. This raises the point that outgoing communications over Tor could be filtered, without preventing connections from Tor. And it appears that FireHost is doing a sloppy job against this "High Security Threath". Our tests showed that it was still possible to access a subdomain from Silentcircle thru TOR; in this case https://accounts.silentcircle.com (as of the January 27, 2015). It seems that FireHost is just trying to stop traffic to a particular host/IP address, which is a naive action considering a resourceful attacker will have multiple exfiltration endpoints (botnets anyone?).

A good Incident response practice is to correctly identify the involved IP address(es)  and filter those IP addresses along with notifying any clients that could be affected before taking any disruptive action; but not to filter an entire port/service out of a misinterpreted/misguided concept of security. Another option from an incident response point of view is that to filter the traffic to the TOR exit point identified as the one being used by the attacker to try to hide the exfiltration operation; this will reduce the number of legit TOR users affected and the measure should last until the incident is resolved. That would be like closing a road due a policy or fire emergency, it is done for the duration of the incident. Furthermore the affected financial entities that complain about TOR being used as an instrument in the exfiltration operation could filter the outgoing traffic from their network to the specific TOR exit point or any other destination without affecting third parties upstream traffic.

Therefore, our advice to Silent Circle was to change to a service provider that doesn’t block TOR, which is what appeared to be the case for their provider, FireHost, prior to late last year. (One such security web host would be Luxsci.)

Nick and Rob